[00:01.860 --> 00:07.800]  Robert does not need an introduction, but he wants me to give you one because he loves to hear other people talk about him.
[00:09.040 --> 00:17.480]  So, Robert taught me how to hack a Cadillac CTS back in the day. I think, what was it?
[00:17.820 --> 00:24.940]  Or you showed me how to allow the DVD to show video while you're driving.
[00:24.940 --> 00:26.900]  Yeah, while in motion. You need to.
[00:26.900 --> 00:34.280]  Yes, that is very important. And that was a very big learning curve for me.
[00:34.300 --> 00:38.960]  Of course, I was a big dummy, so I forgot the termination and on and on. Everything.
[00:39.440 --> 00:43.880]  So, Robert is going to give his wonderful talk.
[00:44.120 --> 00:44.920]  CMAP.
[00:45.080 --> 00:48.940]  Yes, that's right. CMAP on your... and you've got a repo for this, which we'll put...
[00:49.560 --> 00:51.520]  I know you've already posted it, but I will...
[00:51.520 --> 00:52.420]  We'll link it to things.
[00:52.420 --> 00:57.200]  Yeah, we'll put it into the... and this is track one, correct?
[00:57.200 --> 00:57.660]  Yes.
[00:57.880 --> 01:12.440]  So, any Q&A, normally we've been answering that in the track in text, but this one, we'll try to monitor track one text and we will get those questions to Robert at the end, okay?
[01:13.200 --> 01:14.180]  It's all you, man.
[01:14.180 --> 01:15.120]  Thank you.
[02:10.290 --> 02:12.290]  There we go. Welcome back.
[02:12.370 --> 02:13.630]  Do you want to kill that music?
[02:13.630 --> 02:15.350]  In the stream?
[02:16.430 --> 02:18.870]  It's coming from the Discord channel.
[02:20.210 --> 02:21.770]  Thank you, Discord.
[02:22.490 --> 02:23.890]  Thank you.
[02:29.560 --> 02:31.820]  There. There it goes.
[02:31.820 --> 02:33.100]  We got this.
[02:34.420 --> 02:37.460]  You can see why we didn't do any of the live talks.
[02:38.080 --> 02:40.080]  For this exact reason.
[02:40.080 --> 02:43.760]  All right. Hello, everyone. My name is Robert Leally, also known as Carfucker.
[02:43.760 --> 02:55.660]  And I would like to talk a little bit about a tool that will help you analyze or check what services are available on a particular vehicle.
[02:55.660 --> 02:58.920]  So, I'm currently connected to a vehicle.
[02:59.260 --> 03:02.700]  Specifically, we have a truck over here.
[03:03.220 --> 03:12.680]  It's the same truck that we're using for the challenges inside of the DEF CON CHV truck.
[03:12.680 --> 03:17.540]  So, after I'm done with this, you guys can go get the repo right from GitHub.
[03:17.540 --> 03:26.420]  So, just go to GitHub.com canbushack and you'll find CMAP there.
[03:26.740 --> 03:30.580]  Canbushack is one word. C-A-N-B-U-S-H-A-C-K.
[03:30.580 --> 03:33.880]  And you'll find the CMAP repo that lives there.
[03:34.120 --> 03:38.720]  The concept is pretty simple, but kind of basic as well.
[03:38.720 --> 03:44.760]  So, I'm going to take you through sort of a very deep dive into CMAP, how it works.
[03:44.760 --> 03:47.820]  Again, this is live. So, if it fails, sorry.
[03:48.180 --> 03:50.000]  I'll sort of talk about the concepts.
[03:50.000 --> 03:52.520]  I don't have any slides. Like I said, pretty lazy.
[03:52.520 --> 03:54.740]  But the concepts are really simple.
[03:54.740 --> 03:57.420]  So, you're just going to go in. You run this thing.
[03:57.420 --> 04:02.280]  Connect it to a CAN bus. Right now, I'm currently using a Raspberry Pi.
[04:03.320 --> 04:07.380]  Maybe I'll take a second to break out and show you what the Raspberry Pi looks like.
[04:07.380 --> 04:09.140]  Do like a live feed over there.
[04:10.360 --> 04:15.740]  It's connected to a Raspberry Pi, which has got a device that essentially enumerates a CAN0 network.
[04:16.080 --> 04:18.020]  So, CAN0 is socket CAN.
[04:18.020 --> 04:22.440]  On this one, actually, we are on CAN2.
[04:22.440 --> 04:24.500]  We're going to be on CAN2, not CAN0.
[04:24.720 --> 04:27.520]  So, let me just break this real quick.
[04:28.100 --> 04:29.240]  If I can.
[04:30.040 --> 04:33.300]  If not, I'll get another terminal window open.
[04:34.220 --> 04:36.660]  I might just have to grab another terminal window.
[04:38.040 --> 04:39.340]  Because, you know.
[04:40.520 --> 04:41.740]  Bad idea.
[04:41.760 --> 04:42.360]  Okay.
[04:43.500 --> 04:45.420]  Now my whole screen is frozen.
[04:45.480 --> 04:46.600]  Nothing wrong with that.
[04:48.260 --> 04:49.680]  Sorry, guys.
[04:50.000 --> 04:51.740]  This is why we do it.
[04:55.470 --> 04:58.870]  So, my computer is not happy with this scenario.
[04:58.870 --> 04:59.770]  Real quick.
[05:05.130 --> 05:06.350]  Oh, my goodness.
[05:07.650 --> 05:10.330]  This is why we didn't do any live talks, by the way.
[05:11.510 --> 05:12.950]  I apologize.
[05:13.030 --> 05:16.550]  I cannot get my computer to close this window.
[05:25.800 --> 05:28.400]  It's completely frozen, my computer.
[05:28.400 --> 05:29.460]  So, just one second.
[05:30.600 --> 05:33.420]  Now you guys are missing the real DEF CON experience.
[05:40.620 --> 05:43.100]  It was working great, just two seconds ago.
[05:45.080 --> 05:47.160]  So, how's your guys' day so far?
[05:47.160 --> 05:48.680]  Everything's going well?
[05:48.680 --> 05:49.780]  Alright, good.
[05:50.660 --> 05:56.340]  I'm going to take a picture of these screens so everybody can kind of see what's happening over here.
[05:56.340 --> 05:58.180]  I don't know if you guys got a chance to see this.
[05:58.400 --> 05:59.820]  But it's pretty crazy.
[05:59.880 --> 06:00.640]  I'll show you.
[06:00.640 --> 06:02.840]  Wow, my computer is totally stuck.
[06:04.960 --> 06:05.920]  This is awesome.
[06:06.160 --> 06:12.420]  This is what's happening over there.
[06:12.420 --> 06:13.580]  It's pretty exciting.
[06:13.580 --> 06:15.740]  Right now, my computer is totally frozen.
[06:15.960 --> 06:18.400]  So, I've got nothing.
[06:18.400 --> 06:19.800]  Quite literally.
[06:20.140 --> 06:21.800]  It's done.
[06:22.000 --> 06:24.900]  I can't even terminate a window right now.
[06:24.900 --> 06:25.960]  This is insane.
[06:26.560 --> 06:28.580]  I've never seen this before.
[06:29.100 --> 06:31.060]  This is the first time.
[06:32.860 --> 06:36.480]  I just posted a link to your repo on this holiday.
[06:36.480 --> 06:38.220]  Yeah, no.
[06:38.660 --> 06:39.100]  You know what?
[06:39.100 --> 06:41.320]  We might just try it again in a second.
[06:42.860 --> 06:43.980]  Because everybody...
[06:43.980 --> 06:47.940]  It's quite literally just absolutely frozen.
[06:48.320 --> 06:52.400]  Even my task manager is locked out.
[06:54.460 --> 06:56.600]  This is why we didn't do any logins.
[06:56.600 --> 06:59.880]  So, anybody have any questions about how this works?
[07:01.720 --> 07:06.780]  I'll give it another couple minutes before we bomb out completely.
[07:07.060 --> 07:07.940]  Are you done?
[07:08.440 --> 07:15.430]  I'm better.
[07:15.430 --> 07:17.890]  I need to plug that in anyways.
[07:18.590 --> 07:19.910]  Oh, in the office.
[07:20.570 --> 07:23.070]  It's just next to where I was sitting. It's just a battery charger.
[07:23.070 --> 07:24.070]  Battery charger, okay.
[07:24.070 --> 07:26.670]  I'll be back.
[07:26.970 --> 07:29.530]  Alright, looks like we're back.
[07:31.050 --> 07:35.950]  And I will just close these windows down.
[07:36.170 --> 07:37.090]  I apologize for that.
[07:37.090 --> 07:39.250]  And it's locked.
[07:39.250 --> 07:40.210]  Okay, so.
[07:41.170 --> 07:43.190]  Alright, so I'm going to restart.
[07:44.910 --> 07:47.150]  So, hello everyone. My name is Robert Ali.
[07:48.550 --> 07:51.410]  We're going to edit that out, I'm sure, later.
[07:51.410 --> 07:55.350]  So, if you guys are just joining us, I just had some computer problems.
[07:55.690 --> 08:00.670]  I'm going to go ahead and talk about CMAP, my new car mapping tool.
[08:00.870 --> 08:04.870]  And I'm just going to kind of give you a deep dive of how it works.
[08:04.870 --> 08:06.790]  What we're doing with it.
[08:06.790 --> 08:08.690]  What the goal of it is, as well.
[08:08.690 --> 08:10.710]  So, I guess this is PyCharm.
[08:10.710 --> 08:11.970]  I have PyCharm loaded.
[08:11.970 --> 08:14.130]  And actually, I have the actual code itself.
[08:14.130 --> 08:18.830]  So, if you're going to use this for the first time, there's some configurations that need to happen.
[08:18.990 --> 08:21.710]  I've documented it a little bit on how it works.
[08:21.710 --> 08:25.630]  But ultimately, the concept is pretty simple.
[08:25.630 --> 08:32.870]  We're just going to send CAN bus messages out to different controllers to see if they're there.
[08:32.870 --> 08:34.290]  Just kind of like a ping.
[08:34.870 --> 08:36.090]  So, this is like a ping.
[08:36.470 --> 08:39.530]  Also, with a service mapping tool, as well.
[08:39.530 --> 08:41.550]  So, the first thing that we're going to do.
[08:41.550 --> 08:43.310]  So, I'm going to go ahead and go online.
[08:43.570 --> 08:45.230]  And in debug mode.
[08:45.870 --> 08:49.030]  And you'll notice, as soon as it does that, it kind of goes into debug mode.
[08:49.030 --> 08:50.310]  I'll show you the console.
[08:50.570 --> 08:51.450]  And here we are.
[08:51.450 --> 08:55.990]  The first thing we're going to do is we're going to create a CAN bus object.
[08:55.990 --> 09:01.890]  So, this CAN bus object essentially tells me what CAN bus I want to connect to.
[09:01.890 --> 09:05.350]  So, I can give it different object instantiations.
[09:05.370 --> 09:08.110]  Maybe I'm not going to be working with CAN0.
[09:08.390 --> 09:09.950]  But maybe I'm going to be working with other ones.
[09:09.950 --> 09:12.110]  Sorry, I've got to plug my laptop in.
[09:12.110 --> 09:13.030]  I can plug it in for you while you're talking.
[09:13.030 --> 09:15.090]  I appreciate that. Thank you.
[09:15.090 --> 09:25.270]  So, after you connect to CAN bus and it gets onto the network using CAN0 or whatever CAN interface you are going to want to search.
[09:25.270 --> 09:27.450]  Maybe you can enumerate through multiple searches.
[09:27.850 --> 09:29.030]  That's kind of up to you.
[09:29.030 --> 09:36.350]  So, this first program here is called scan with class.
[09:36.350 --> 09:40.510]  So, we're going to scan the network.
[09:40.510 --> 09:50.030]  But this particular file is meant as an example for you to sort of create your own applications in Python using this program.
[09:50.030 --> 09:52.850]  So, first thing we do, we create a CAN0.
[09:52.850 --> 09:55.430]  And now CAN0 can do a lot of things.
[09:55.430 --> 10:00.530]  So, CAN0 is essentially a network using the network CAN bus class.
[10:00.530 --> 10:03.830]  And that particular class has a method called scan for IDs.
[10:03.990 --> 10:06.630]  So, scan for IDs takes a few arguments.
[10:06.630 --> 10:09.010]  And so, we'll go through those different arguments here.
[10:09.370 --> 10:14.210]  One is the actual service identifier that we want to use to do our scan.
[10:14.570 --> 10:19.210]  On a lot of different vehicles, you might have more success with different service IDs.
[10:19.210 --> 10:23.510]  I have defaulted it to service 3E, which is something called tester present.
[10:23.510 --> 10:26.610]  In theory, tester present shouldn't do any effects.
[10:26.610 --> 10:28.710]  It shouldn't have any effects on the vehicle.
[10:28.710 --> 10:30.090]  It shouldn't start the vehicle.
[10:30.090 --> 10:30.990]  It shouldn't turn on lights.
[10:30.990 --> 10:34.230]  It shouldn't do anything weird on the particular vehicle itself.
[10:34.230 --> 10:36.890]  But sometimes certain controllers don't respond to it.
[10:36.890 --> 10:39.190]  So, you might want to use a different service ID.
[10:39.250 --> 10:43.010]  Maybe service 10 for initiate diagnostics or something like that.
[10:43.010 --> 10:44.950]  So, there's a lot of different services you could use.
[10:44.950 --> 10:46.350]  You could just use 0.
[10:46.510 --> 10:47.470]  Whatever you like.
[10:47.470 --> 10:52.590]  Maybe try different services to see what service IDs work better.
[10:52.590 --> 10:54.230]  It's a single byte identifier.
[10:54.510 --> 10:59.190]  If you put something larger than a single byte, it'll just bring it back down to a single byte.
[10:59.190 --> 11:01.250]  So, just put in a single byte.
[11:01.510 --> 11:04.630]  The next thing we have is the arbitration ID.
[11:04.750 --> 11:08.410]  So, this is the actual identifier, 11-bit identifier that we're going to start at.
[11:09.050 --> 11:13.430]  Since it's 11 bits, we can put any number between 0 and 7FF here.
[11:14.870 --> 11:18.110]  Since this is a start one, we probably want to start it with a low number.
[11:18.110 --> 11:20.770]  But you can start it with a high number and put a low number before.
[11:20.770 --> 11:21.770]  It doesn't matter.
[11:21.910 --> 11:24.170]  It'll just go in the order that you decide to.
[11:24.170 --> 11:29.050]  So, if you put a number like 7FF and you put 0 as the end address,
[11:29.050 --> 11:31.310]  then it'll just decrement as opposed to increment.
[11:31.310 --> 11:32.490]  And I'll show you that later.
[11:32.490 --> 11:34.830]  So, you can go in whatever order you like.
[11:35.330 --> 11:42.750]  Sometimes, when I do my scans, I often do decrement because you'll find more things in the top area,
[11:42.750 --> 11:45.650]  like 700s, 600s, as opposed to the bottom area.
[11:45.650 --> 11:48.410]  So, you're probably going to have more success decrementing.
[11:48.410 --> 11:50.870]  But it's up to you, whatever order you want to go in.
[11:50.870 --> 11:54.490]  So, there's the start arbitration ID and the end arbitration ID.
[11:54.730 --> 11:56.370]  I just accidentally skipped over one.
[11:56.370 --> 11:57.310]  It's called try twice.
[11:57.310 --> 11:59.850]  I'm going to get into what try twice is in a little bit.
[12:00.130 --> 12:02.770]  And then, we'll also prompt wait time.
[12:02.770 --> 12:06.270]  I'll get into some of these other parameters in a little bit when we hit them.
[12:07.210 --> 12:08.490]  So, let's go ahead.
[12:08.490 --> 12:13.230]  So, now we're in that particular method, specifically scan for IDs.
[12:13.510 --> 12:16.550]  So, we just passed it a bunch of variables.
[12:16.550 --> 12:20.010]  There are some others that we didn't pass that are just leaving as the default.
[12:20.030 --> 12:21.930]  And I'll talk about those when we hit them.
[12:21.930 --> 12:27.270]  So, as we go through, we're going to import the CAN bus Python.
[12:27.350 --> 12:30.390]  So, these are some of the prerequisites you'll see when you get to the GitHub.
[12:30.510 --> 12:31.770]  One is CAN.
[12:32.410 --> 12:34.150]  Logging is something that's usually included.
[12:34.150 --> 12:35.610]  And time is something that's usually included.
[12:35.610 --> 12:40.430]  But you do need something called Python-CAN in order for you to...
[12:40.430 --> 12:42.690]  you do a pip install in order for you to run this.
[12:42.690 --> 12:44.450]  So, that's important as well.
[12:45.030 --> 12:47.250]  Oops, what just happened?
[12:47.990 --> 12:50.450]  You know, always something.
[12:50.450 --> 12:51.230]  Isn't it?
[12:52.270 --> 12:54.150]  Frozen bootstrap, I'm not sure.
[12:54.150 --> 12:56.010]  Oops, I hit the wrong button.
[12:56.010 --> 12:56.750]  Hopefully.
[12:57.670 --> 12:58.630]  Of course.
[12:59.010 --> 13:01.910]  Let me just restart the debugger real quick.
[13:03.430 --> 13:05.070]  Sitting too long on something.
[13:05.070 --> 13:06.710]  I think it probably crashed.
[13:09.690 --> 13:10.710]  Okay.
[13:10.750 --> 13:11.550]  So, here we are.
[13:11.550 --> 13:16.850]  So, now here's our input timeout that we're going to use a little bit later.
[13:16.850 --> 13:18.970]  I'm going to initialize something called common pairs.
[13:18.970 --> 13:19.950]  I won't get into too much.
[13:19.950 --> 13:24.350]  I'm just going to go through the more interesting things such as this.
[13:24.350 --> 13:28.850]  So, the first thing I'll do with CMAP is I'll listen to the bus.
[13:28.850 --> 13:30.850]  The reason why I do that, there's two reasons.
[13:30.850 --> 13:38.050]  One, if you have a non-active bus that maybe you have a misconfiguration with how you connect it to the vehicle network,
[13:38.050 --> 13:39.970]  I want you to at least be aware of it.
[13:39.970 --> 13:41.790]  Maybe there's no traffic on it.
[13:41.790 --> 13:47.770]  In fact, that's what we're going to see here on our particular vehicle is there's no traffic on that particular bus.
[13:47.770 --> 13:50.970]  But it's not because the vehicle's off or there's no traffic.
[13:51.370 --> 13:53.190]  There's just no traffic normally.
[13:53.370 --> 13:55.350]  The reason why is we have a gateway.
[13:55.350 --> 13:59.650]  A lot of these vehicles nowadays, especially if we're connecting to the OBD2 port, have a gateway.
[13:59.650 --> 14:00.970]  And this particular vehicle does.
[14:00.970 --> 14:02.970]  But don't let that discourage you.
[14:02.970 --> 14:06.950]  We're using diagnostics and these diagnostic ports are intended for that.
[14:06.950 --> 14:11.590]  So all of this stuff will still pass quite nicely through a diagnostic connector.
[14:11.590 --> 14:14.510]  So even if there is a gateway, it shouldn't matter.
[14:14.510 --> 14:16.250]  Now, it might matter a little bit.
[14:16.250 --> 14:20.950]  Some gateways do filter some information as it's going across the back.
[14:21.510 --> 14:24.530]  So you might want to try it on the other side of a gateway too.
[14:24.530 --> 14:32.070]  But I just want to give you guys an example of, yeah, you can actually do this on what's called the dirty side of a gateway if you want to.
[14:32.070 --> 14:34.430]  So I'm going to initiate a time thing.
[14:34.430 --> 14:38.710]  And then essentially what this will do is it'll sit there and listen to the bus.
[14:38.710 --> 14:44.810]  And if there is no traffic, it'll just warn you, hey, do you really want to continue or not?
[14:45.630 --> 14:52.930]  And if there is traffic, it'll create a list of IDs for later.
[14:52.930 --> 15:04.410]  The reason why we want to know those IDs of what is on the bus is because we want to essentially avoid those identifiers later when we're actually transmitting requests.
[15:05.170 --> 15:10.090]  To scan the bus because those identifiers are not the identifiers we want.
[15:10.090 --> 15:15.530]  You can almost say that any traffic that's normally on the bus is not something you want to transmit on.
[15:15.530 --> 15:19.350]  In fact, if we do transmit on it, that can cause problems.
[15:19.350 --> 15:21.670]  You get lights and other things coming up on your dash.
[15:21.670 --> 15:23.550]  That's something we're going to try to avoid.
[15:23.550 --> 15:29.270]  So just be aware that we do intentionally filter out normal traffic.
[15:29.270 --> 15:36.190]  If you don't want to do that, you can modify this particular class to skip this step if you'd like to.
[15:36.190 --> 15:37.790]  You don't have to do this particular thing.
[15:37.790 --> 15:46.450]  But I think it saves a lot of time and it avoids a lot of accidentally overriding messages that we know are not part of our scan.
[15:46.450 --> 15:48.370]  So that's what I'm going to do here.
[15:48.970 --> 15:53.410]  And after about two seconds or so, I have this sort of timeout after two seconds.
[15:53.410 --> 16:00.730]  It says, hey, I wasn't able to... you'll see that my normal message length is actually going to be at zero.
[16:00.990 --> 16:06.830]  So this is going to say, okay, for sure we need to just sort of warn the user.
[16:06.830 --> 16:09.330]  And that's what we're going to see here, that there was a problem.
[16:09.330 --> 16:11.550]  I'm going to go ahead and just jump past that.
[16:12.290 --> 16:14.510]  So to warn the user, would you like to continue?
[16:14.510 --> 16:17.650]  I gave a little command prompt and I have a timeout in there.
[16:17.650 --> 16:19.150]  It's about two seconds or so.
[16:19.290 --> 16:21.370]  Okay, cool. Let's move on.
[16:21.530 --> 16:23.150]  So what's our message length?
[16:23.150 --> 16:29.610]  Here we have a message length and just some other initialization that's happening of our payload that we're going to send out, etc.
[16:29.610 --> 16:33.230]  I won't get in too much, but here we'll go down to the pairs list.
[16:33.530 --> 16:35.150]  And we initialize everything.
[16:35.150 --> 16:48.690]  And then, of course, if the bus is quiet, one of the challenges with the Python CAN interface is if we're going to listen to the bus and it was quiet, it doesn't let us just sort of timeout.
[16:48.690 --> 16:49.930]  It's got a kind of a weird bug.
[16:49.930 --> 16:55.650]  So in order to get around that bug, I actually do create some noise on the network just to...
[16:55.650 --> 17:02.130]  I have to create some CAN messages just to allow me to receive CAN messages.
[17:02.130 --> 17:04.950]  It's kind of a weird bug that I found. I haven't found a way around.
[17:04.950 --> 17:07.670]  So if anybody knows a way around it, I'd like to hear it.
[17:07.670 --> 17:12.010]  I create some noise here on the CAN bus just so we can get around that.
[17:12.750 --> 17:15.490]  Let's just take a look at the CAN bus real quick here.
[17:16.470 --> 17:20.170]  Go into the device.
[17:20.570 --> 17:24.390]  And so we should be able to do a CAN dump on CAN 0.
[17:25.350 --> 17:28.730]  And there's our noise that's going across real quick.
[17:29.370 --> 17:36.130]  Essentially I'm sending 7FF with a very specific payload that I've initialized earlier.
[17:36.150 --> 17:39.050]  So there's our noise. I just want you to know it's there.
[17:39.570 --> 17:43.830]  I'm actually going to get rid of the noise when we do monitor this CAN bus later.
[17:43.830 --> 17:48.710]  I don't want to see it, so I'll actually just tell it to remove the noise.
[17:48.710 --> 17:51.650]  And you can do that by just creating a negative filter or a not filter.
[17:52.210 --> 17:55.670]  Just a comma 7FF tilde 7FF.
[17:55.670 --> 17:59.910]  And now anything that has the identifier 7FF will be gone.
[17:59.910 --> 18:00.650]  So there we have...
[18:01.610 --> 18:05.330]  Now if I was monitoring the CAN bus, we shouldn't see anything.
[18:05.330 --> 18:07.170]  Now it looks like some people are doing some scans.
[18:07.170 --> 18:09.530]  Again, this is a live network right now.
[18:09.530 --> 18:14.450]  So if anybody's on the network, they will actually be able to see it
[18:14.450 --> 18:18.270]  because people are currently hacking this bus as we speak.
[18:18.270 --> 18:22.570]  So it's kind of cool to see other people working on it as we are as well.
[18:22.650 --> 18:25.090]  And they're going to love us in a little bit.
[18:25.610 --> 18:31.210]  So what I'm going to do is I'm going to send a bunch of CAN IDs.
[18:31.210 --> 18:36.090]  So I have essentially our low range, our low number, our high number,
[18:36.090 --> 18:37.970]  and the direction that we're going to scan.
[18:37.970 --> 18:39.490]  So plus 1, negative 1.
[18:39.490 --> 18:44.770]  Essentially I can skip over IDs if I would like to here, but it's kind of up to me.
[18:44.790 --> 18:47.550]  So here we're going to go and we're going to set this up.
[18:48.270 --> 18:51.790]  All right, here's our arbitration ID.
[18:51.790 --> 18:54.530]  Is it part of our normal messages that we had before?
[18:54.530 --> 18:57.310]  In other words, do I need to skip this ID or not?
[18:57.890 --> 19:00.790]  Because if we were monitoring the CAN bus earlier and we noticed,
[19:00.790 --> 19:05.810]  hey, ID 222 is on the bus and I'm about to send 222, I'll skip over that one.
[19:05.810 --> 19:09.550]  That way we don't have to collide with those particular messages.
[19:09.550 --> 19:12.470]  So it's sort of an anti-collision way of doing it.
[19:12.470 --> 19:14.850]  Now since we didn't have any normal messages on the bus,
[19:14.850 --> 19:17.490]  our normal mode message is gone.
[19:17.490 --> 19:19.470]  It's empty, which is cool.
[19:19.830 --> 19:24.490]  So we'll move on to the next step.
[19:24.650 --> 19:28.590]  In this case, we're going to set up our CAN frame, initialize some things,
[19:28.590 --> 19:32.550]  and then we'll do this thing where we check how many tries
[19:32.550 --> 19:36.470]  or set the amount of tries that we want each time to run.
[19:36.470 --> 19:39.690]  So I'll take a look. Let's take a look real quick at what that means.
[19:39.750 --> 19:44.610]  One of the challenges, especially if we're doing this on a busy and active bus,
[19:45.450 --> 19:48.330]  we're going to send out a command and then we're going to listen
[19:48.330 --> 19:51.830]  for some period of time for responses.
[19:51.830 --> 19:54.230]  Now what is a response? It's just another message.
[19:54.850 --> 19:58.750]  So all of these messages that might be going on on the bus at that particular time
[19:59.130 --> 20:02.650]  could all be replies. So how do we differentiate them?
[20:03.050 --> 20:06.670]  Well, number one, we have this normal message list that we listen to
[20:06.670 --> 20:09.230]  and we can say, hey, is this in the message list or not?
[20:09.230 --> 20:11.970]  The other thing we can do is we can try it multiple times.
[20:11.970 --> 20:17.310]  And if we get the same ID two times, the probability is much greater
[20:17.310 --> 20:19.430]  that this is actually a reply to our message.
[20:19.430 --> 20:23.170]  So I have this ability. I built in this thing so you can actually have it either
[20:23.790 --> 20:27.130]  send it one time or two times. Since this is a quiet bus,
[20:27.130 --> 20:30.670]  we really don't need to do that. Send multiple tries.
[20:30.670 --> 20:34.950]  And again, if you send multiple tries, you're going to send it twice,
[20:34.950 --> 20:37.950]  which means it's going to take twice as long to do a scan.
[20:37.950 --> 20:40.690]  So if you can limit the amount of tries, that's good.
[20:40.690 --> 20:45.510]  So here we are. We set our tries to one, so it's only going to try it one time.
[20:45.510 --> 20:49.630]  I have some logging here. Here we are recreating our CAN bus.
[20:50.670 --> 20:53.370]  And I have a time here. So I want to sort of stop here
[20:53.370 --> 20:57.370]  because this is super time dependent and just go over what I'm about to do.
[20:57.430 --> 21:01.090]  What I'm going to do here at this particular step is I'm going to send
[21:01.090 --> 21:04.230]  this message that I created earlier. If you want to take a look,
[21:04.230 --> 21:09.550]  this message is pretty simple. It's got the identifier 442,
[21:09.550 --> 21:15.090]  so that's where we start. It's got the data bytes 023E,
[21:15.090 --> 21:18.290]  and then the rest are zero. The reason why we're sending zeros
[21:18.290 --> 21:20.150]  is because we need to make sure we pad this data.
[21:20.150 --> 21:24.750]  So essentially, remember I said service 3E is the thing that I'm going to send out?
[21:24.750 --> 21:29.590]  That's in the data bytes themselves. You see it's the second data byte there.
[21:29.590 --> 21:33.510]  So there we are. We're going to send 023E out onto the bus.
[21:33.510 --> 21:36.870]  And if I bring this over, eventually we'll see that come across.
[21:36.870 --> 21:38.830]  So I'm going to do that in just a second.
[21:39.210 --> 21:41.550]  And then what we're going to do is we're going to say,
[21:41.550 --> 21:46.030]  all right, I sent out a request. Then we're going to wait on that particular bus.
[21:46.030 --> 21:47.830]  We're going to wait for a receive message.
[21:47.830 --> 21:50.350]  And that's the reason why I have some noise there,
[21:50.350 --> 21:53.610]  because we have to generate some messages so that our clock
[21:53.610 --> 21:55.490]  or our timing essentially works.
[21:56.150 --> 21:58.630]  So we're going to wait for a receive message,
[21:58.630 --> 22:03.490]  and then we're going to take a look and inspect that receive message.
[22:04.210 --> 22:05.670]  We're going to filter it out.
[22:05.670 --> 22:09.810]  A few things. Is that a receive message that we've already seen before?
[22:09.950 --> 22:11.970]  All right. Well, I don't want to see that anymore.
[22:12.010 --> 22:13.910]  That's not the message that I was looking for.
[22:13.910 --> 22:17.130]  I'm looking for new identifiers, not old identifiers.
[22:17.130 --> 22:19.550]  So in other words, I'm sending out a request.
[22:19.830 --> 22:24.230]  I should not see this identifier or should not have seen it in the past before.
[22:24.230 --> 22:26.310]  So I'm looking for new IDs.
[22:26.550 --> 22:29.650]  Is this ID the same ID that I just sent out?
[22:29.650 --> 22:31.850]  Maybe I just was listening to my own data bus,
[22:31.850 --> 22:33.930]  and I saw an ID that I just sent out.
[22:33.930 --> 22:35.430]  So I don't know. That's not what I want.
[22:35.630 --> 22:40.050]  If I'm sending noise, is this the noise identifier payload that I just sent out?
[22:40.050 --> 22:42.250]  If it is, ignore that as well.
[22:43.050 --> 22:45.930]  Or is this ID got a DLC that's...
[22:46.630 --> 22:53.110]  One of the challenges with SocketCAN is that the way it displays error frames
[22:53.110 --> 22:56.870]  is using ID 000 with a DLC of 4,
[22:56.870 --> 22:59.830]  which is just kind of a dead giveaway that this is an error frame.
[22:59.830 --> 23:02.030]  It's really the only way to know if it's an error frame.
[23:02.030 --> 23:03.410]  So is this also an error frame?
[23:03.930 --> 23:05.390]  Is this an error noise on the bus as well?
[23:05.390 --> 23:07.310]  So I'm filtering out all those other things.
[23:07.310 --> 23:09.910]  And then what we're left with should be,
[23:09.910 --> 23:13.730]  if it passes all of those because they're not true,
[23:13.730 --> 23:18.470]  then we should say, OK, that is indeed a successful arbitration ID.
[23:18.470 --> 23:21.470]  And so we will append our list right here.
[23:21.470 --> 23:23.570]  So let me go ahead and just run this real quick.
[23:23.610 --> 23:29.090]  And then I'll show you what it kind of looks like on the bus as we're going across.
[23:29.430 --> 23:31.050]  So there it is running. Oops.
[23:31.050 --> 23:33.390]  We caught our first one. That's not a coincidence.
[23:33.930 --> 23:34.650]  It started there.
[23:34.690 --> 23:37.310]  So we caught our first identifier right there.
[23:38.030 --> 23:39.510]  Just a second. Oops.
[23:39.510 --> 23:40.770]  Try a second.
[23:41.050 --> 23:42.110]  How do I get rid of that one?
[23:42.110 --> 23:44.510]  No, we haven't caught one yet, but we'll catch one real soon.
[23:44.510 --> 23:48.210]  Let me get rid of some of these breakpoints so we can just see it run.
[23:48.310 --> 23:50.510]  And there it goes. It's running. It's running. It's running.
[23:50.510 --> 23:56.010]  And then pretty soon we're going to get a message.
[23:56.010 --> 23:58.670]  Cool. So we got our first message.
[23:58.670 --> 23:59.970]  Actually, here, let me...
[23:59.970 --> 24:01.730]  Oops. Messed up over here.
[24:03.110 --> 24:03.830]  Let me...
[24:07.990 --> 24:09.210]  Zoom in here.
[24:09.230 --> 24:11.830]  So let me just sort of emphasize what just happened here.
[24:11.830 --> 24:17.010]  So here I sent out this CAN message, 47D.
[24:17.010 --> 24:18.670]  Didn't see anything come across.
[24:18.670 --> 24:20.650]  And the same for all these other ones before.
[24:20.670 --> 24:23.410]  But then I sent out CAN message 47E.
[24:23.710 --> 24:24.930]  Sent out the same message.
[24:24.930 --> 24:27.810]  And then what happened was I got a response.
[24:27.930 --> 24:29.390]  How do I know it was a response?
[24:29.390 --> 24:31.910]  Well, first of all, I've never seen this ID before.
[24:32.150 --> 24:33.870]  That was one reason.
[24:34.430 --> 24:35.750]  I didn't transmit this ID.
[24:35.870 --> 24:37.250]  This wasn't something that I transmitted.
[24:37.250 --> 24:40.030]  I know it's the next number here in this list.
[24:40.030 --> 24:42.270]  But also it's interesting to look at the data bytes.
[24:42.270 --> 24:43.250]  It's a little bit different.
[24:43.250 --> 24:45.990]  It's not a 3E here. It's a 7E.
[24:45.990 --> 24:47.870]  Now, I don't really care what the data bytes are.
[24:47.870 --> 24:49.830]  I could do some more data byte inspection.
[24:49.950 --> 24:52.070]  But for the most part, you don't really have to.
[24:52.070 --> 24:55.910]  You just need to see an identifier that you didn't send on the bus.
[24:55.910 --> 24:57.730]  If you did send it, then, well, you can ignore it.
[24:57.730 --> 25:00.070]  But if you didn't send it, in this case, I didn't send this.
[25:00.070 --> 25:01.450]  It's just something that I received.
[25:01.750 --> 25:02.530]  Oh, good.
[25:04.350 --> 25:05.390]  This is called a pair.
[25:05.490 --> 25:07.670]  So we add this to our pairs list.
[25:07.670 --> 25:08.890]  Now, I have two pairs lists.
[25:08.890 --> 25:12.310]  If I'm trying twice, I'll compare the two pairs lists.
[25:12.310 --> 25:13.890]  In this case, we're not trying twice.
[25:13.890 --> 25:15.750]  We just get the one pair list.
[25:15.750 --> 25:18.390]  So a pair is essentially these two identifiers.
[25:18.510 --> 25:22.090]  A pair is the identifier 47E and 47F.
[25:22.390 --> 25:26.590]  Those pairs are essentially how we can communicate directly with the controller.
[25:26.590 --> 25:31.250]  If we send the ID 47E, we'll get a response back on 47F.
[25:31.250 --> 25:34.330]  So this is kind of the channel, if you will.
[25:34.330 --> 25:35.370]  This is an RF thing.
[25:35.370 --> 25:37.130]  I kind of think about these as the same thing.
[25:37.130 --> 25:40.850]  This is the channel that we send out on, and it's a different channel that we receive on.
[25:40.850 --> 25:42.330]  It's the best way to look at that.
[25:42.330 --> 25:43.770]  And then the data bytes are right here.
[25:43.770 --> 25:48.150]  So anytime I send out a message on 47E, 47F will respond to me.
[25:48.310 --> 25:49.850]  So let's keep going.
[25:49.890 --> 25:50.870]  Let's keep going.
[25:50.870 --> 25:52.430]  Let's just do this.
[25:53.170 --> 25:56.450]  And I don't really care about hitting more pairs.
[25:56.450 --> 25:59.210]  I'm just going to let it go until we get a response.
[26:06.520 --> 26:07.340]  It should be going.
[26:07.340 --> 26:07.880]  Sorry.
[26:07.880 --> 26:09.040]  Okay.
[26:09.240 --> 26:11.700]  So it's going, and it's going to catch a few more.
[26:12.620 --> 26:13.860]  As you'll see.
[26:14.420 --> 26:16.800]  I just realized I need to open up another window.
[26:17.620 --> 26:18.560]  One second.
[26:41.750 --> 26:43.270]  So I'm just going to let it keep running.
[26:43.270 --> 26:44.990]  It'll eventually catch a few more.
[26:45.050 --> 26:47.750]  It's loading up our list, and I'm just letting it run.
[26:47.750 --> 26:55.040]  So just give me one second while I find something.
[26:55.040 --> 26:56.200]  Yeah.
[26:57.280 --> 27:02.700]  One part of debugging is there's no way to hit the escape or whatever.
[27:02.700 --> 27:05.280]  So I've got to do it kind of programmatically.
[27:05.280 --> 27:07.500]  It's an interesting problem that I have to do.
[27:08.220 --> 27:08.660]  So...
[27:08.660 --> 27:09.840]  Boo, boo, boo.
[27:29.760 --> 27:30.640]  Okay.
[27:31.520 --> 27:31.960]  All right.
[27:31.960 --> 27:33.480]  So we finished our scan.
[27:35.100 --> 27:37.020]  And what do we got here?
[27:37.720 --> 27:39.520]  So let's take a look at what happened.
[27:39.520 --> 27:41.620]  So what returns is our pairs list.
[27:41.620 --> 27:43.120]  So let me just open up our debugger.
[27:43.120 --> 27:44.820]  And we'll actually take a look at...
[27:44.820 --> 27:46.520]  We'll watch some of this data.
[27:46.520 --> 27:49.880]  So just one second while I scroll over.
[27:49.880 --> 27:51.240]  Take a look at my watch list.
[27:51.240 --> 27:52.440]  I'll have it open.
[28:05.930 --> 28:08.190]  Just one second while I move this around.
[28:12.710 --> 28:14.670]  Where are you variables?
[28:28.460 --> 28:30.760]  I had them open just two seconds ago.
[28:31.780 --> 28:33.140]  And I lost them.
[28:53.270 --> 28:54.050]  All right.
[28:54.050 --> 28:56.190]  Well, anyways, here's the pairs list.
[28:56.210 --> 28:58.050]  I was going to just open it up for you.
[28:58.050 --> 28:59.790]  But the easiest way to just...
[29:00.930 --> 29:02.530]  So here's the pairs list.
[29:02.610 --> 29:04.950]  Now, what we'll see here is actually...
[29:04.950 --> 29:05.930]  It's hard to tell.
[29:05.930 --> 29:07.890]  But these are all in decimal right now.
[29:07.890 --> 29:10.810]  But if we wanted to, we could see in hex.
[29:12.450 --> 29:13.030]  Sort of.
[29:13.030 --> 29:13.810]  Here's a pair.
[29:14.250 --> 29:15.850]  That's our first one that we grabbed.
[29:16.290 --> 29:17.610]  47E, 47F.
[29:17.610 --> 29:18.690]  So there we have a pair.
[29:18.690 --> 29:20.330]  And then we have a few more here as well.
[29:20.330 --> 29:23.510]  And then you have one that actually has a bunch of different pairs in it.
[29:23.510 --> 29:32.790]  And the reason why we see something like this is you'll look that all of the different IDs are the same values across all of them.
[29:32.790 --> 29:34.830]  And the reason why is this is called...
[29:35.470 --> 29:36.690]  This particular identifier...
[29:37.910 --> 29:39.350]  So I'll show you here.
[29:39.750 --> 29:42.990]  7DF has multiple different controllers that respond to it.
[29:42.990 --> 29:46.270]  It's called a functional request.
[29:46.270 --> 29:51.330]  So every time we send that particular type of request out, we get multiple responses back.
[29:51.330 --> 29:53.810]  So that's good to know about the functional request.
[29:53.810 --> 29:55.450]  So the functional request will have...
[29:55.450 --> 29:59.090]  The pair itself will be just a list of pairs, essentially.
[29:59.090 --> 30:02.250]  So that's why you'll notice that these lists are actually lists of lists.
[30:02.430 --> 30:05.230]  And most of the time, there's just a single pair inside of there.
[30:05.230 --> 30:07.470]  But in this case, there's multiple pairs.
[30:07.470 --> 30:09.150]  So now we've got a list of pairs.
[30:09.150 --> 30:09.990]  That's great.
[30:10.050 --> 30:11.870]  Now we can do something with that.
[30:11.870 --> 30:13.210]  We have a list.
[30:13.210 --> 30:14.390]  Basically, you do a ping.
[30:14.390 --> 30:20.790]  You check out and see all the different IP addresses that you've got on the network.
[30:20.790 --> 30:22.690]  Same thing. That's exactly what we just did.
[30:22.690 --> 30:24.290]  A scan is kind of a ping.
[30:24.370 --> 30:28.010]  We get a ping for all the different identifiers.
[30:28.010 --> 30:30.470]  And now we've got a list that we can do something with.
[30:30.650 --> 30:34.470]  So inside of this CAN0 has nodes.
[30:34.470 --> 30:37.810]  And those nodes are essentially the pair list that we had before.
[30:38.110 --> 30:42.250]  So now what we can do is just pull out the pairs inside of the pair node.
[30:43.210 --> 30:46.490]  So here we're going to go ahead and take apart that particular one.
[30:46.490 --> 30:48.610]  We're just going to grab the first pair.
[30:48.770 --> 30:53.790]  If it's a list of multiple pairs like we had that I just showed you, I'm just going to kind of ignore that.
[30:53.950 --> 30:58.030]  If you have a script and you want to do a little bit more with that, feel free to do that.
[30:58.030 --> 31:00.810]  And then I'll just go ahead and print it out so we can kind of see.
[31:00.810 --> 31:03.070]  Here it is, our 47E, 47F.
[31:03.130 --> 31:08.410]  Just let us know, hey, we're going to do some work with that particular pair.
[31:08.550 --> 31:11.730]  So let's take a look and see what we're doing next.
[31:11.730 --> 31:16.650]  So we're going to do another thing.
[31:16.650 --> 31:19.490]  Actually, I'm going to skip over the initiation of that particular one.
[31:19.490 --> 31:23.030]  And then go right to the actual method that is interesting for me.
[31:23.030 --> 31:25.070]  And that's the findServices method.
[31:25.110 --> 31:26.710]  Now we have the identifiers.
[31:26.710 --> 31:29.010]  Now what services can we do?
[31:29.010 --> 31:30.850]  So we've done the ping.
[31:30.850 --> 31:32.710]  Now let's do a port scan.
[31:32.710 --> 31:34.570]  That's kind of the best way to describe this.
[31:34.570 --> 31:36.530]  So findServices is going to do a port scan.
[31:36.530 --> 31:40.570]  It's going to see what services or functions the particular controller supports.
[31:40.570 --> 31:42.330]  So let's go ahead and run into that.
[31:43.210 --> 31:50.390]  And the first thing we're going to do is initialize a list of known services in case we want to filter on just known services.
[31:50.430 --> 31:52.850]  And that's kind of what I want to do in a little bit.
[31:52.850 --> 31:55.930]  So we have a few different options here.
[31:55.930 --> 32:04.010]  We can actually filter our list just to try to do a sweep of every single possible service identifier.
[32:04.010 --> 32:08.310]  Which is only 256 possible service identifiers.
[32:08.310 --> 32:14.370]  Or we can just skip service identifiers that are potentially valid.
[32:14.370 --> 32:20.330]  So half of the service identifiers are reserved for response only, not for transmit.
[32:20.330 --> 32:26.310]  So if you're going to get data back from the controller, half of them are reserved for that function as well.
[32:26.310 --> 32:29.750]  So we can say, hey, I just want to work on ones that are valid.
[32:29.750 --> 32:32.610]  Essentially skip the response-only service identifiers.
[32:32.610 --> 32:36.730]  Or we can skip and just scan the ones that are known.
[32:36.730 --> 32:41.330]  So we're just scanning known service identifiers as opposed to unknown ones.
[32:41.330 --> 32:44.010]  And so that's what I've initialized as true here.
[32:44.010 --> 32:47.630]  So we're going to use this list that we have right here.
[32:47.630 --> 32:50.090]  And that's the list of identifiers that we want to go over.
[32:50.090 --> 32:54.710]  Now depending on what type of service scan you want to do, maybe you want to do a more inclusive one.
[32:54.710 --> 32:55.750]  So you'll scan everything.
[32:55.750 --> 33:01.270]  Maybe you want to do a non-inclusive one like this where we just scan the UDS ID.
[33:01.270 --> 33:03.030]  So I give you like three different options.
[33:03.030 --> 33:07.930]  You can scan everything, a little bit of everything, or like half of everything, or just a small amount of everything.
[33:07.950 --> 33:12.950]  So it's just the amount of time you want to spend on doing that.
[33:12.950 --> 33:14.230]  It's kind of the trade-off.
[33:16.650 --> 33:20.870]  So if we've already done the scan once, hey, let's not do it again.
[33:21.330 --> 33:26.970]  Let's just return the container that we store all of the services that that particular node supports.
[33:27.110 --> 33:30.250]  In this case, we haven't done it yet, so that's good.
[33:30.250 --> 33:34.370]  So the other thing that we require is something called ISOTP.
[33:34.830 --> 33:40.050]  I think it's called CAN-ISOTP, if that's the module name.
[33:40.050 --> 33:42.370]  So we're going to have to use that one as well.
[33:42.370 --> 33:49.630]  So go ahead and take a look, try to find CAN-ISOTP on the internets so that you can use this as well.
[33:50.030 --> 33:51.810]  And I'll just keep going.
[33:51.810 --> 33:53.430]  ISOTP is great.
[33:53.430 --> 34:05.210]  ISOTP is essentially the diagnostic layer 2, if you will, the transport layer for CAN bus diagnostics.
[34:05.210 --> 34:08.250]  And it's awesome because there's already a thing for it.
[34:08.250 --> 34:15.990]  So let's go ahead and create the socket, set the padding options so that we can fill in the data bytes,
[34:15.990 --> 34:22.050]  bind that socket, and then we can say, all right, if the service ID is sort of like limit the service ID,
[34:22.050 --> 34:24.810]  so I'm going to skip over some of this stuff. It's pretty self-explanatory.
[34:24.810 --> 34:28.930]  Let's go right into the meat of the actual script. What is it actually doing?
[34:29.490 --> 34:30.910]  So we're going to create a range.
[34:30.910 --> 34:33.970]  So inside of this range, we have two service IDs that we set.
[34:33.970 --> 34:36.610]  One is the start service ID. Where do you want to begin?
[34:36.610 --> 34:39.110]  One is the end service ID. Where do you want to end?
[34:39.110 --> 34:43.010]  Again, if we apply some filters, it's going to skip over that.
[34:43.010 --> 34:49.370]  So typically what I'll say is if you want to grab a small amount, turn on a filter.
[34:49.370 --> 34:53.430]  But if you know there's just a service ID, maybe you want to target one or two service IDs,
[34:53.430 --> 34:57.550]  then you can limit your range to what service IDs you're going to go after.
[34:57.550 --> 35:02.830]  Again, service IDs are only one byte, so really there's only going to be 256 options here.
[35:02.830 --> 35:05.590]  So let's go ahead and see what we want to do.
[35:05.590 --> 35:10.210]  We just grabbed an identifier and a range.
[35:10.570 --> 35:14.670]  And we want to... so I'll look at zero.
[35:14.670 --> 35:17.630]  Hey, do I want to scan this zero ID or not?
[35:17.630 --> 35:23.790]  Since I have a filter turned on, scan only service IDs, I say yes.
[35:23.790 --> 35:28.150]  It's only going to scan a service ID that's in my list.
[35:28.150 --> 35:29.950]  In this case, zero isn't in my list.
[35:29.950 --> 35:31.950]  So it's just going to skip right over it.
[35:31.950 --> 35:34.190]  It's going to continue saying, no, I don't want to do that.
[35:34.190 --> 35:38.410]  So let's go to one where there actually is a service ID I'm interested in.
[35:38.410 --> 35:45.430]  So in this case, the service ID, the first one is going to be ID 16 decimal or 10 in hexadecimal.
[35:45.430 --> 35:54.030]  So service ID 10 is the first service of UDS, which is the session control service.
[35:54.450 --> 35:57.970]  So let's take a look and go through here.
[35:57.970 --> 36:04.930]  And we're going to add to it payload length, do some fun math here.
[36:04.930 --> 36:09.750]  And then we're going to go down to the actual loop.
[36:09.750 --> 36:12.690]  So we send our ID out.
[36:12.690 --> 36:14.730]  Let's see if I already sent it. I did.
[36:14.950 --> 36:18.030]  So here we go. We sent out a request.
[36:18.430 --> 36:21.590]  10-0-0-0-3-10-0-0.
[36:21.590 --> 36:24.010]  And look, we got a response back.
[36:24.010 --> 36:27.350]  0-3-7-F-10-12.
[36:27.970 --> 36:29.910]  So don't worry about what that means.
[36:29.910 --> 36:31.970]  I'll do all the parsing for you.
[36:32.650 --> 36:34.190]  Well, displaying for you.
[36:34.190 --> 36:39.110]  And I'll just sort of say, all right, since this is a 10-12,
[36:39.110 --> 36:41.510]  12 is what's called the negative response code.
[36:41.790 --> 36:43.570]  This is an error frame.
[36:43.570 --> 36:46.910]  This is like error. Hey, you have a problem with your request.
[36:47.470 --> 36:50.010]  And here's the response.
[36:50.010 --> 36:52.170]  And 12 is the negative response code.
[36:52.310 --> 36:57.070]  And what it's trying to tell you is, hey, we have an issue with that request.
[36:57.070 --> 37:04.210]  And the particular issue in this case, 12, means that the sub-function, 0-0 in this case, is not supported.
[37:04.650 --> 37:08.750]  What we're trying to do with the service scan is not see if the sub-function is supported or not.
[37:08.750 --> 37:10.590]  We want to see if the service is supported.
[37:10.590 --> 37:12.970]  Because we're going to probe to see if the service is supported.
[37:13.070 --> 37:15.830]  So ultimately, 12 is a good thing.
[37:15.830 --> 37:17.950]  So we're going to go down here.
[37:17.950 --> 37:19.450]  And I'm going to go run.
[37:19.490 --> 37:22.090]  And we're going to take a look at how that logic works.
[37:22.090 --> 37:23.810]  Hey, we received something.
[37:23.830 --> 37:25.030]  We got an ID.
[37:25.030 --> 37:29.850]  We got a negative response code, which is 7F, which we saw here.
[37:29.850 --> 37:32.610]  And the service identifier here, 7F.
[37:33.690 --> 37:35.910]  I see negative response code.
[37:35.910 --> 37:42.950]  We're going to pull that out and say, hey, negative response code came back as 12 hex or 18 decimal.
[37:42.950 --> 37:44.570]  Is that equal to 11?
[37:44.570 --> 37:45.670]  Why 11?
[37:45.670 --> 37:51.390]  Well, 11 is actually the negative response code for a service not supported.
[37:51.390 --> 37:53.070]  That's specifically what it means.
[37:53.070 --> 37:58.070]  So since this is a service that is supported, I don't really want to have that in my supported...
[37:58.690 --> 38:00.850]  I don't want to have this in my not supported list.
[38:00.850 --> 38:02.390]  I want to have that in my supported list.
[38:02.390 --> 38:04.810]  So I'm going to create two lists here.
[38:05.630 --> 38:07.370]  Or two sets, I should say.
[38:07.370 --> 38:13.350]  Two sets that we can sort of just...
[38:13.350 --> 38:14.410]  Hey, there's our service ID.
[38:14.410 --> 38:16.470]  I'm going to add this supported one to it.
[38:16.470 --> 38:19.050]  Even though I got a negative response, that's not terminal.
[38:19.050 --> 38:21.790]  It just means that the sub-function that I request isn't supported.
[38:21.790 --> 38:23.910]  But the service itself is actually supported.
[38:23.910 --> 38:24.970]  So there we go.
[38:24.970 --> 38:26.330]  Our service is supported.
[38:26.810 --> 38:28.390]  And I added that to my list.
[38:28.390 --> 38:31.090]  I'm just going to go through all of them real quick.
[38:31.090 --> 38:32.590]  It doesn't take very long.
[38:32.690 --> 38:37.430]  And we're going to take a look and see what that kind of looks like here.
[38:39.990 --> 38:43.910]  So I'm going to get rid of some of these breakpoints.
[38:44.950 --> 38:45.850]  And there we go.
[38:45.850 --> 38:47.190]  We kind of got the entire list.
[38:47.190 --> 38:47.990]  That was really fast.
[38:47.990 --> 38:50.770]  So it doesn't take very long to go through that list.
[38:52.030 --> 38:53.590]  Maybe we already did it.
[38:53.590 --> 38:54.790]  Yeah, it went really fast.
[38:54.790 --> 38:56.310]  Sorry, you guys might not have caught it.
[38:56.310 --> 38:57.650]  But it didn't take very long.
[38:57.650 --> 38:59.970]  It went through the entire list really quickly.
[39:00.290 --> 39:07.590]  And we got a list of all of the services that were particularly supported on that particular one controller.
[39:07.590 --> 39:09.270]  Now we just went through one controller.
[39:09.270 --> 39:10.890]  And that's what we're going to do at a time.
[39:10.890 --> 39:12.010]  Single controller.
[39:12.770 --> 39:14.670]  And we're going to try...
[39:14.670 --> 39:16.490]  Now that we have that list,
[39:17.990 --> 39:19.510]  we're going to print it out and see what happens.
[39:19.510 --> 39:21.270]  So what are we going to do?
[39:21.270 --> 39:25.270]  We're going to print out a list of all of the different services that are supported.
[39:25.270 --> 39:34.630]  In this case, 22, 85, 27, 28, 2E, 10, 11, 14, 36, 34, 37, 19, 3E.
[39:34.630 --> 39:36.730]  Those are all the services that are supported.
[39:36.730 --> 39:40.030]  Now if you want a good list of what these functions mean,
[39:40.030 --> 39:43.010]  I actually have that as a enumerated...
[39:43.010 --> 39:46.650]  I have created an enumerated list for all the particular services
[39:46.650 --> 39:48.230]  and what they mean inside of this.
[39:48.230 --> 39:50.030]  So you can actually reference it.
[39:50.090 --> 39:51.670]  I forgot where I put it.
[39:51.670 --> 39:54.250]  So give me a second here while I dig it up.
[39:54.250 --> 39:55.650]  I think I called it...
[39:56.250 --> 39:58.310]  Yeah, it's under service. Makes sense.
[39:58.310 --> 39:59.490]  Good spot for it.
[39:59.690 --> 40:02.790]  And I collapsed it here.
[40:02.790 --> 40:08.030]  But yeah, I have a service description that you can run.
[40:08.310 --> 40:10.970]  And there's a method called update service description.
[40:10.970 --> 40:14.850]  And there's a property of every service.
[40:14.850 --> 40:16.630]  So if you want to, you can enumerate a list.
[40:16.650 --> 40:23.510]  And just read out the service description from each of these services as well.
[40:23.510 --> 40:27.330]  There's also a list inside of here which I've collapsed because it's so big.
[40:27.530 --> 40:29.150]  I don't know where I put it.
[40:29.150 --> 40:30.770]  But I won't go into too much detail.
[40:30.770 --> 40:32.750]  But it's in there in the code itself.
[40:32.750 --> 40:36.190]  Feel free to take a look if you want to see what those service identifiers mean.
[40:36.190 --> 40:37.250]  But we can take a look.
[40:37.250 --> 40:40.970]  And there's just a handful that are really unique and interesting
[40:41.890 --> 40:44.710]  that we'll probably want to scan later.
[40:44.710 --> 40:47.290]  So we'll go ahead and take one of the services.
[40:47.290 --> 40:50.170]  I think the first one we're going to take is actually service 22.
[40:50.170 --> 40:51.730]  Because that's our first on the list.
[40:51.750 --> 40:56.190]  Which is kind of a bummer because that's the biggest of all the services.
[40:56.210 --> 40:59.510]  But let's go ahead and take a look at what it is we're actually doing here.
[40:59.510 --> 41:03.070]  So I'm going to create a little report for you after it's done.
[41:03.190 --> 41:07.750]  A list of all of the different service functions that are there.
[41:07.750 --> 41:12.190]  And I just want to kind of send out the service and see what's happening.
[41:12.190 --> 41:13.990]  So give me a second while I run it.
[41:14.930 --> 41:19.390]  So the next method we're going to do is now we have a list of all the services that are supported.
[41:19.450 --> 41:24.250]  Let's enumerate all of the particular service sub-functions that are also in there.
[41:24.250 --> 41:26.590]  So the first thing we did was ping all of them.
[41:26.590 --> 41:30.970]  Next we did was check the services that are supported.
[41:30.970 --> 41:35.270]  Now we're going to actually ask it to say, hey, what sub-functions are actually supported?
[41:35.790 --> 41:37.990]  I'm going to run that real quick here.
[41:40.050 --> 41:41.310]  Just one second.
[41:41.310 --> 41:45.230]  I don't want to get in too much right now because we're running out of time.
[41:45.390 --> 41:47.070]  But this one's pretty cool.
[41:47.090 --> 41:50.430]  So let's take a look and see what it is it's doing here.
[41:50.430 --> 41:53.950]  So what it's doing is it's sending out a request.
[41:56.630 --> 42:00.750]  0322 0091 0092 0093.
[42:00.750 --> 42:06.830]  You get the idea. It's just enumerating all possible identifiers or sub-functions for this particular service.
[42:06.830 --> 42:10.830]  In this case, this is a two bytes service, so it does it for you automatically.
[42:10.830 --> 42:12.070]  You don't have to tell it.
[42:12.190 --> 42:16.210]  That's part of the specification, how many bytes each particular service supports.
[42:16.210 --> 42:21.250]  So we're just going to enumerate through a list of all possible sub-functions that are supported.
[42:21.970 --> 42:27.790]  And eventually, when we're done, we're going to get a good list of all of the IDs that come through.
[42:27.790 --> 42:35.450]  Now, I did have a plan here on canceling this scan midway through
[42:35.450 --> 42:40.710]  so that we could get a list, but unfortunately, this particular service doesn't allow us to do that.
[42:40.710 --> 42:44.290]  So what I'm going to do is I'm going to go to a diff.
[42:44.290 --> 42:47.170]  I'm going to figure out how to exclude.
[42:47.470 --> 42:50.690]  Let me just think about how I can exclude a particular service ID.
[42:51.690 --> 42:52.910]  Maybe I can't.
[42:52.910 --> 42:57.130]  What I really want to do is, let me just look it up real quick while we hang it out.
[42:57.130 --> 42:59.190]  I'm going to check out the scan real quick.
[42:59.190 --> 43:10.210]  And I'm going to see what this particular... I need to issue a keyboard halt error.
[43:10.210 --> 43:12.510]  And that will break out of it.
[43:50.800 --> 43:54.120]  So, just one second, I'm going to...
[43:54.880 --> 43:57.120]  So there's a really cool utility called...
[43:58.460 --> 44:00.300]  Oops, sorry.
[44:03.920 --> 44:05.540]  Called psutil.
[44:05.540 --> 44:08.520]  So I opened up another Python window.
[44:08.520 --> 44:15.340]  We use psutil, which allows me to send a SIGINT to a process.
[44:15.640 --> 44:19.440]  So we need to do a SIGINT and then it's called process.
[44:19.560 --> 44:34.280]  And then the process ID, which is pit equals 9971.signal.signal.
[44:34.280 --> 44:35.240]  I think it's two.
[44:37.740 --> 44:38.620]  Network.
[44:39.260 --> 44:40.140]  Oops.
[44:41.340 --> 44:42.700]  Send signal, sorry.
[44:47.330 --> 44:50.730]  And what that did is, it did a keyboard halt.
[44:50.730 --> 44:53.030]  So it's a good way to do debugging.
[44:53.030 --> 44:59.410]  It's just essentially, I'd have a try, catch, try, not catch, but try command.
[44:59.410 --> 45:01.670]  So here it is. It tried to...
[45:01.670 --> 45:04.490]  It actually ended that particular scan.
[45:04.490 --> 45:09.650]  So that, just for demonstration purposes, I wanted to show you what kind of report we were able to get out of that.
[45:09.650 --> 45:13.910]  And there you can kind of see, here's a list of all the identifiers.
[45:14.810 --> 45:18.850]  This is service 22 on this particular node, 747F.
[45:18.850 --> 45:21.250]  I don't know what node that is in the vehicle yet.
[45:21.290 --> 45:24.070]  Maybe I can get that from doing my service scan.
[45:24.690 --> 45:28.870]  But here it is. We have a list of parameter IDs.
[45:28.870 --> 45:33.050]  So this is sort of a matrix of 00, 010, etc.
[45:33.070 --> 45:39.630]  And so as we scroll down, you can kind of see, hey, this is a service that has a negative response code of 31.
[45:39.650 --> 45:45.650]  So 31 means that the request that I sent is out of range.
[45:45.650 --> 45:51.630]  So I sent an ID 0000 to it, and it says it doesn't support that.
[45:51.630 --> 45:54.930]  But where it shines is we can actually see what is supported.
[45:54.930 --> 45:59.810]  In this case, 0108 is supported.
[45:59.810 --> 46:06.350]  So if I scroll down and keep scrolling, you'll eventually see that some of these services are indeed supported.
[46:06.350 --> 46:10.470]  So we create a cool map of the services that are actually supported.
[46:10.530 --> 46:14.370]  And here we have a longer list. We can kind of get an idea.
[46:14.370 --> 46:19.650]  And not only that, we see the services that are supported, but I also, after I'm done printing the report,
[46:19.650 --> 46:24.410]  I'll also print the actual data bytes that I received from the service itself.
[46:24.410 --> 46:30.590]  So in the case of 0001, I got these data bytes.
[46:30.590 --> 46:34.410]  This is a byte string that returned back to me.
[46:34.410 --> 46:37.090]  So I can get a byte string of the actual data itself.
[46:37.090 --> 46:40.790]  Maybe there's some interesting information that's stored inside of the byte string.
[46:41.290 --> 46:44.990]  What I can do later with this list is I can say, OK, now that I have a list,
[46:44.990 --> 46:49.690]  I can go back and just kind of recapture the data over and over and over again.
[46:49.930 --> 46:52.370]  And so that's the idea. That's what CMAV does.
[46:52.370 --> 46:56.010]  It gives you kind of a cool list. I'm going to keep it running.
[46:56.950 --> 46:57.910]  Oops.
[47:01.190 --> 47:06.990]  Keep it running so we can actually get some other sub-functions or services that might come up.
[47:06.990 --> 47:11.370]  Some of the other services are much faster, so I'll let them run real quick.
[47:11.510 --> 47:12.770]  Here's another one.
[47:13.070 --> 47:17.210]  And pretty quickly get rid of all our debug information.
[47:17.310 --> 47:23.410]  And I'll scroll down. Here's service 85 and all the different sub-functions it responded back to.
[47:23.410 --> 47:29.290]  So it might not be that interesting. Maybe we'll get a 12, which means sub-function not supported.
[47:29.350 --> 47:33.930]  But in some cases, we don't get a 12. We get a 7F, which is incorrect.
[47:34.070 --> 47:40.430]  We can do this function or the sub-function, but not in this particular service or session.
[47:40.430 --> 47:42.070]  So we have to change our session.
[47:43.210 --> 47:45.250]  And what sessions are available?
[47:45.250 --> 47:49.150]  Well, there's another report that's going to come up later on what sessions are supported.
[47:49.150 --> 47:50.710]  So we can keep scrolling through.
[47:50.710 --> 47:58.230]  And as we're running through all of these things, we can kind of say, hey, look, service 28, what's unique about all of them?
[47:58.250 --> 48:00.330]  Or what's not unique about them?
[48:00.330 --> 48:05.910]  So here we are. We're continuing to run. We're on service 2E right now.
[48:06.010 --> 48:14.010]  Same with service 22. 2E is a very long one, so I'll issue another reset command as well.
[48:14.390 --> 48:18.770]  So we'll kind of speed this up a little bit, but you don't have to reset every time.
[48:18.770 --> 48:20.370]  Here we are.
[48:20.630 --> 48:27.370]  Oh, sometimes it'll get a little stopped up here. This is kind of a bug that I know I'm going to try to fix in the next revision.
[48:27.790 --> 48:34.350]  But if I don't get a response back from a particular controller, it sits there and waits for this 5 or 10 second timeout.
[48:34.350 --> 48:38.290]  And I really should just limit the timeout. I thought I was doing it, but it's not working right now.
[48:38.290 --> 48:42.950]  So this is something that is a known bug, but sometimes we'll get these no responses.
[48:43.210 --> 48:46.670]  And this is actually a correct no response. It shouldn't respond back to us.
[48:46.670 --> 48:52.090]  That particular one doesn't. So we'll wait for it. There it is. There's our service 10.
[48:52.110 --> 48:56.010]  It responds back that it supports these particular sub-functions.
[48:56.010 --> 49:00.350]  So I was just talking about modes before. There are actually three modes that it supports.
[49:01.250 --> 49:05.850]  10.01, 10.02, and 10.03. It supports all three of them.
[49:05.850 --> 49:09.410]  You'll notice that this is negative response code 12, which means it doesn't support it.
[49:09.410 --> 49:13.930]  But in this case, it does support. Service 10.01 is supported.
[49:13.930 --> 49:18.610]  10.02 is also supported, but it has a negative response code of 33,
[49:18.610 --> 49:22.050]  which means that you need security access first in order to do this one.
[49:22.050 --> 49:26.790]  So as a security researcher, you may be really interested, why do I need security access to do a 10.02?
[49:26.790 --> 49:32.150]  If you do a little bit more digging on this particular service or sub-function,
[49:32.150 --> 49:39.630]  this is the reprogramming mode. So it wants you to do security access in order to reflash the controller.
[49:39.630 --> 49:42.970]  This is actually very unusual. Most cars don't require this.
[49:42.970 --> 49:46.150]  But it's something that's new for these particular vehicles.
[49:46.550 --> 49:53.550]  Service 11 is an ECU reset service. If this had succeeded, we would have had some issues probably through here.
[49:53.550 --> 49:56.070]  The controller would have reset and taken a very long time.
[49:56.070 --> 50:00.950]  Don't know why these all fail. Maybe it doesn't have a sub-function, and that might be why.
[50:01.130 --> 50:07.450]  Service 14, similarly, quite interesting. Service 34, all of these need to be in a different sub-function.
[50:07.450 --> 50:16.010]  So we get a lot of really cool information just from the get-go of what may or may not be supported on these particular controllers.
[50:16.150 --> 50:21.050]  Including what is supported and what gives us a little bit of an empty spot.
[50:21.050 --> 50:24.930]  It means I didn't get a response back, so I don't know what to tell you. It's empty.
[50:24.970 --> 50:26.910]  So you get a lot of really cool information.
[50:26.910 --> 50:31.230]  If you run these for a very long time across all the different controllers,
[50:31.230 --> 50:34.330]  you're going to get a ton of information from the particular vehicle.
[50:34.490 --> 50:36.370]  And then maybe you can save it and do something.
[50:36.370 --> 50:40.970]  So I finished with one controller, and now I would move to the next one.
[50:40.970 --> 50:45.910]  So that's essentially what this is telling me it wants to do, is go to the next controller, etc., etc.,
[50:45.910 --> 50:49.470]  and find all the services and sub-functions on that.
[50:49.490 --> 50:51.370]  So I'm going to do that real quick.
[50:51.410 --> 50:56.070]  We're kind of running out of time, but I'd like to try to see what else we can get out of it.
[50:56.130 --> 51:01.010]  There it is, trying to get data from these controllers.
[51:01.010 --> 51:03.390]  Scroll down... it's really quite interesting.
[51:03.390 --> 51:08.690]  Now it's scanning this ID 620, and it has a response of 504.
[51:08.730 --> 51:11.730]  19, 22, and 3E are all supported.
[51:11.730 --> 51:15.190]  So this one only has three functions that are supported.
[51:15.190 --> 51:17.070]  Again, I'm running through a gateway.
[51:17.310 --> 51:20.750]  My thought process here is maybe if I get past the gateway,
[51:20.750 --> 51:27.310]  I'll actually have some more information that's available on the other side of the gateway,
[51:27.310 --> 51:29.690]  which I do have this connected, I just haven't done that yet.
[51:29.690 --> 51:33.670]  We have five minutes left, or ten minutes left, because I can't count.
[51:34.110 --> 51:35.550]  I think this is a good time to stop.
[51:35.550 --> 51:40.070]  I think I am giving you guys the information, but hopefully it's enough for you guys to go.
[51:40.070 --> 51:45.050]  Again, let me just type in the web page right here.
[51:45.510 --> 51:48.950]  www.github.com
[51:48.950 --> 51:50.170]  I'm typing in something else.
[51:50.450 --> 51:51.690]  Canvas at...
[51:53.430 --> 51:54.730]  There it is.
[51:54.730 --> 51:57.010]  It opened an edge. You're welcome.
[51:57.570 --> 51:59.090]  I'll fix it.
[52:00.050 --> 52:01.590]  You get the idea.
[52:01.810 --> 52:03.890]  It's awesome. Thanks, Microsoft.
[52:05.190 --> 52:06.350]  That's what I want.
[52:06.350 --> 52:08.630]  And then CMAP is right here.
[52:10.030 --> 52:14.210]  So CMAP, essentially, you can go ahead and get this code that I just showed you guys today.
[52:14.210 --> 52:16.190]  I'm sure I'll be pushing some updates.
[52:16.870 --> 52:19.530]  Give me my first pull request.
[52:19.770 --> 52:24.470]  Somebody, right now, first pull request gets free CMAP.
[52:25.350 --> 52:29.310]  And if you guys have any other questions, I'll be around all day.
[52:29.690 --> 52:34.450]  Just hit me up on the Twitter at C-A-R-F-U-C-A-R.
[52:35.150 --> 52:43.810]  If you want to do your own Canvas hacking or anything like that, I highly encourage you to get to the virtual.carhackingvillage.com.
[52:44.050 --> 52:48.670]  This car that I just showed you, it is on there. Everything I've just shown you is on there.
[52:49.090 --> 52:55.370]  You can put CMAP on there if you'd like to right now and run these right now on the same vehicle that I just ran this on.
[52:55.370 --> 53:00.670]  And if you have some questions, regardless of that, we'll be available to give you some hands.
[53:00.670 --> 53:03.750]  Alright, if there's anything else, any questions from the field?
[53:04.190 --> 53:05.550]  I've not seen anything.
[53:06.190 --> 53:09.650]  Maybe there wasn't anybody because of the initial start that we had.
[53:09.650 --> 53:10.650]  Yeah, this is horrible.
[53:10.650 --> 53:12.430]  For some reason, I was...
[53:12.430 --> 53:14.690]  A lot? Like two? Or three?
[53:15.250 --> 53:16.130]  Thirty!
[53:16.570 --> 53:20.030]  Hey, you over there. Yeah, you. How come you're not asking me a question?
[53:21.050 --> 53:22.690]  No, that. Over there.
[53:23.430 --> 53:24.410]  Yeah, you.
[53:25.370 --> 53:27.310]  Alright, maybe they don't have any questions.
[53:27.430 --> 53:29.590]  Yeah, I've seen no questions in the chat.
[53:29.590 --> 53:33.470]  That's fine. I guess I'm just that good at presenting. Or the opposite.
[53:33.470 --> 53:34.530]  Linted is telling me.
[53:34.830 --> 53:39.650]  Hey, Linted. Oh no, not Linted. Linted wants to know. He's got a technical question.
[53:39.750 --> 53:41.850]  Robert, what's wrong with the cars right now?
[53:42.090 --> 53:42.810]  Talk about...
[53:42.810 --> 53:47.790]  Talk about hardware checkout. Alright. I think you have to...
[53:47.790 --> 53:51.990]  Is Discord stream muted or is that just me? That's his question.
[53:53.590 --> 53:53.990]  So...
[53:53.990 --> 53:56.590]  You gotta go on Twitch, man. That's all there is to it.
[53:57.210 --> 53:59.450]  Alright, cool. Thank you.
